b' U.S. DEPARTMENT OF COMMERCE\n           Office of Inspector General\n\n\n\n\n                 Office of the Secretary\n\n\n        Top Management Challenges\nFacing the Department of Commerce\n                        Final Report No. OIG-19384\n                                    November 2008\n\n\n\n\n         FOR PUBLIC RELEASE\n\n\n\n                           Office of Audit and Evaluation\n\x0cNovember 18, 2008\n\n\nMEMORANDUM FOR THE SECRETARY\n\n\nFROM:               Todd J. Zinser\n\n\nSUBJECT:            Top Management Challenges Facing the Department\n\nThe Office of Inspector General (OIG) is required by statute to annually\nreport the top management challenges facing the Department of Commerce.\nWe regularly discuss the Department\xe2\x80\x99s progress in addressing these\nchallenges in the IG\xe2\x80\x99s Semiannual Report to Congress and the Department\xe2\x80\x99s\nPerformance and Accountability Report. We prepared this year\xe2\x80\x99s report to\nhighlight the top management challenges for the incoming leadership at the\nDepartment as part of the Presidential transition.\n\nIn our view, there are five critical issues the new Secretary and senior\nmanagement team will need to focus immediate and considerable attention\non, and we detail them, as follows, in this report:\n\n1) Overcome the setbacks experienced in reengineering decennial processes,\n   and conduct a successful 2010 Census.\n\n2) Better position the Department to address information security risks.\n\n3) Effectively manage the development and acquisition of NOAA\xe2\x80\x99s two\n   environmental satellites.\n\n4) Establish a safety culture at NIST.\n\n5) Ensure NTIA effectively carries out its responsibilities under the Digital\n   Television Transition and Public Safety Act.\n\x0cWe also discuss several other areas that pose distinct challenges to the\nDepartment\xe2\x80\x99s mission success and will therefore require the Secretary\xe2\x80\x99s\nsustained attention:\n\n    \xe2\x80\xa2\t Weaknesses in the Department\xe2\x80\x99s acquisition oversight and acquisition\n       workforce\n    \xe2\x80\xa2\t USPTO\xe2\x80\x99s long and growing patent processing times, and its financing\n       vulnerabilities\n    \xe2\x80\xa2\t NOAA\xe2\x80\x99s ability to conserve the nation\xe2\x80\x99s fragile oceans and living\n       marine resources while ensuring a vital U.S. commercial fishing\n       industry\n    \xe2\x80\xa2\t BIS\xe2\x80\x99 setbacks in modernizing its obsolete information technology\n       infrastructure to strengthen the dual-use export control system\n\nThe challenges identified in our report reflect the broad findings of our work\nthroughout the Department and the observations made by secretarial officers\nand heads of operating units during recent discussions with them. Two\nrecurring themes emerged during these discussions, which serve as useful\nbackground for the new leadership in approaching the top challenges: (1)\nleading the Department\xe2\x80\x99s autonomous bureaus, with their entrenched\ncultures that resist change, is exceedingly difficult, and (2) Commerce must\ndeal with substantial infrastructure needs\xe2\x80\x94such as upgrading aging IT\nassets and improving IT security\xe2\x80\x94in a constrained budget environment.\n\nAutonomous Bureaus with Entrenched Cultures. The historical mission of\nthe Department is \xe2\x80\x9cto foster, promote, and develop the foreign and domestic\ncommerce\xe2\x80\x9d of the United States. As a result of legislative and administrative\nadditions, this mission now broadly encompasses the responsibility to foster,\nserve, and promote the nation\xe2\x80\x99s economic development and technological\nadvancement, and the activities of 12 disparate operating units. The\nSecretary\xe2\x80\x99s principal focus is on formulating policy and providing advice to\nthe President on this mission, particularly as it impacts U.S. trade activities\nand promotion. But Commerce leadership must also ensure effective\nadministrative processes (e.g., financial, human resources, procurement,\ninformation technology) Department-wide in order to carry out program\noperations.\n\nThe Department has been characterized as a holding company of\n12 autonomous bureaus, most of which have long-established business\nmodels. The bureaus resist the centralized direction, control, and oversight\nneeded to ensure that administrative processes are consistently and\neffectively applied. This autonomy is a substantial impediment to\ndepartmental efforts to control and improve these processes. Nevertheless,\n\x0cthe Secretary is ultimately responsible for the performance of the\nDepartment as a whole, and needs to be able to effect program and process\nimprovements and hold the bureaus accountable for their performance. To do\nso effectively requires establishing a shared vision among bureau leadership\nwho in turn must marshal the cooperation of the Department\xe2\x80\x99s career\nworkforce.\n\nCommerce\xe2\x80\x99s career workforce is knowledgeable, long serving, and dedicated\nto the Department\xe2\x80\x99s mission. The countless benefits of having such a\nworkforce need no explanation. But these characteristics also mire the\nbureaus in entrenched cultures that are resistant to change. In this past year\nalone, there have been two prime examples in which a bureau\xe2\x80\x99s culture\ncontributed to significant problems\xe2\x80\x94the failure of Census\xe2\x80\x99s plan to use\nhandheld computers for nonresponse follow-up in the 2010 decennial census\nand the plutonium spill at the National Institute of Standards and\nTechnology\xe2\x80\x99s Boulder campus.\n\nAn overarching challenge for the new Secretary and leadership team will be\nto break down the cultural barriers that impede cohesive and effective\nDepartment-wide management.\n\nInfrastructure Needs. The government is operating in an era of constrained\nbudgets, requiring federal agencies to address critical infrastructure needs,\nsuch as IT security and aging IT systems, with limited existing resources. At\nCommerce this practice is quickly becoming unsustainable. The many critical\ninfrastructure needs of the Department can no longer be funded with existing\nresources without significantly impacting essential, mission-related\nactivities. The Department will have to develop convincing business cases to\nobtain the resources to address critical IT security and infrastructure needs\nand effectively manage these resources.\n\nWe appreciate the courtesies you, the Deputy Secretary, and other secretarial\nofficers and heads of operating units extended to us during our recent\nmeetings to discuss the management challenges.\n\nIf you have any questions concerning this report, please contact me at\n(202) 482-4661. You may also contact Judith J. Gordon, assistant inspector\ngeneral for audit and evaluation, at (202) 482-2754.\n\x0cU.S. Department of Commerce                                                                       Report OIG-19384\n\nOffice of Inspector General                                                                         November 2008\n\n\n\n\n                                                    Contents\n\n\n1. \t Overcome the Setbacks Experienced in Reengineering Decennial \n\n     Processes, and Conduct a Successful 2010 Census ................................... 1 \n\n       Program and contract mismanagement caused significant problems.... 2\n\n       Organizational culture contributed to problems ..................................... 3\n\n2. \t Better Position the Department to Address Information \n\n     Security Risks ............................................................................................. 6 \n\n       Joint OIG-Department plan, with focus on continuous monitoring of \n\n       security controls, is improving Commerce\xe2\x80\x99s security status .................... 7\n\n       Cyber Security Management and Assessment Tool should strengthen \n\n       continuous monitoring efforts .................................................................. 8\n\n3. \t Effectively Manage the Development and Acquisition of NOAA\xe2\x80\x99s Two\n\n     Environmental Satellites.......................................................................... 10 \n\n       Continuing VIIRS problems jeopardize NPOESS mission................... 11 \n\n       Oversight structure has not been an effective mechanism for decision \n\n       making ................................................................................................... 11\n\n       NOAA and the Department need to follow accepted oversight \n\n       procedures for the GOES-R acquisition................................................. 12\n\n       NOAA needs to work with congressional committees on\n\n       GOES-R reporting .................................................................................. 12 \n\n4. \t Establish a Safety Culture at NIST ........................................................ 14 \n\n       Spill exposed weaknesses in NIST\xe2\x80\x99s safety management that must be \n\n       corrected .................................................................................................. 14\n\n       NIST\xe2\x80\x99s management structure has not supported a safety culture ....... 15\n\n       NIST facilities must comply with safety requirements ......................... 16\n\n5. \t Ensure NTIA effectively carries out its responsibilities under the \n\n     Digital Television Transition and Public Safety Act ............................... 17 \n\n       Converter Box Coupon Program is progressing with few problems, but \n\n       close oversight must be maintained ....................................................... 17\n\n       Grantees may not be able to complete projects within the legislation\xe2\x80\x99s \n\n       short funding time frame ....................................................................... 18\n\n       NTIA must consider options for ensuring the program achieves its \n\n       objectives ................................................................................................. 19\n\n\x0cU.S. Department of Commerce                                                                     Report OIG-19384\n\nOffice of Inspector General                                                                       November 2008\n\n\n\n\n    Other Issues Requiring Significant Management Attention .................. 21 \n\n      Weaknesses in the Department\xe2\x80\x99s acquisition oversight and acquisition \n\n      workforce................................................................................................. 21\n\n      USPTO\xe2\x80\x99s long and growing patent processing times, and its financing \n\n      vulnerabilities ......................................................................................... 23 \n\n      NOAA\xe2\x80\x99s ability to conserve the nation\xe2\x80\x99s fragile oceans and living marine\n\n      resources while ensuring a vital U.S. commercial fishing industry ..... 24 \n\n      BIS\xe2\x80\x99 setbacks in modernizing its obsolete information technology \n\n      infrastructure to strengthen the dual-use export control system........... 26\n\nAcronyms and Abbreviations ......................................................................... 27\n\n\x0cU.S. Department of Commerce                                Final Report OIG-19384\n\nOffice of Inspector General                                        November 2008\n\n\n\n\n1. Overcome the Setbacks Experienced in Reengineering Decennial\n   Processes, and Conduct a Successful 2010 Census\n\nThe ability of the U.S. Census Bureau to successfully conduct its\nconstitutionally mandated decennial count of U.S. residents in 2010 is at\nserious risk. After spending 8 years developing a completely new approach to\ncensus-taking\xe2\x80\x94one that was to automate major field operations\xe2\x80\x94the bureau\nscrapped plans for using handheld computer technology for the largest and\nmost expensive of these operations, known as nonresponse follow-up, because\nof significant performance problems and the bureau\xe2\x80\x99s loss of confidence in the\nField Data Collection Automation (FDCA) contractor. It will now conduct this\noperation using paper and pencil, as it has done in previous censuses. The\ninability of Census and its contractor to work together to produce a handheld\ncomputer and related systems for field data collection as originally\nenvisioned, combined with major flaws in the bureau\xe2\x80\x99s cost-estimating\nmethods and other issues, have added an estimated $2.2 billion to $3 billion\nto the original $11.5 billion life-cycle cost estimate for the 2010 decennial.\n\nThe Department and the Census Bureau have taken significant actions\nduring the past year to address problems. These actions include extensive\nchanges to decennial management, improvements in program management\npractices, and closer oversight of the decennial effort by the Department.\nHowever, despite these changes, significant risks remain for the 2010\ndecennial. Whether the bureau can retool in time to conduct a reliable\ncensus, even at this increased price tag, represents, in our view, the most\nsignificant challenge facing the new Secretary of Commerce.\n\nCensus 2010 was to be the first high-tech count in the nation\xe2\x80\x99s history, with\ndecennial employees using handheld computers to verify addresses through\nglobal-positioning software, collect data from households that did not mail\nback census questionnaires (i.e., nonresponse follow-up), and manage a\nvariety of information and tasks. The handheld computers were the\ncenterpiece of the strategy and other decennial operations were built around\nor impacted by the decision to use them. Now nonresponse follow-up will\nrevert to the traditional paper and pencil operation it has always been. The\nswitch to paper processes will require additional field staff and support\npersonnel\xe2\x80\x94which means more time to hire and train, and more dollars to do\nso. And it means Census must modify its other plans and operations to\naccount for the change.\n\nContinued problems related to the FDCA project and the late transition to\npaper-based processes without extensive testing create an unprecedented\nlevel of risk. An inaccurate population count will have unacceptable\n\n\n                                      1\n\n\x0cU.S. Department of Commerce                                Final Report OIG-19384\n\nOffice of Inspector General                                        November 2008\n\n\n\n\nconsequences for the nation: at stake is apportionment of the 435 seats in the\nHouse of Representatives and equitable distribution of billions of dollars in\nfederal and state aid. Both GAO and OMB have designated the 2010 census\nas a high-risk program and it is under intense scrutiny by Congress.\n\nProgram and contract mismanagement caused significant problems\n\nThe overarching explanation for the significant problems Census has\nencountered to date is the failure of senior Census Bureau managers in place\nat the time to anticipate the complex IT requirements involved in automating\nthe census. We reported numerous problems in the development and\nacquisition of the handheld devices and related field automation earlier in\nthe decade. Census had originally intended to develop the handhelds in-house\nand tested prototypes in both 2004 and 2006. The devices had serious\nproblems in both tests. These experiences should have better informed the\nbureau\xe2\x80\x99s efforts to define requirements.\n\nThe bureau decided too late in the decade to contract for automation of field\noperations to meet ambitious fixed deadlines for the dress rehearsal tests\nstarting in 2007 and decennial operations starting in 2009. After contract\naward, the bureau\xe2\x80\x99s requirements remained in flux. As late as January\n2008\xe2\x80\x94nearly 2 years after contract award\xe2\x80\x94Census finally delivered a first\ndraft of a complete, user-validated set of requirements for the handhelds and\nsupporting infrastructure. It had no contingency plan in the event the\nhandhelds proved unusable.\n\nThe problems experienced in developing the handhelds have led to\ntremendous setbacks for numerous operations in addition to nonresponse\nfollow-up: plans for testing and enhancing the handhelds for address\ncanvassing\xe2\x80\x94the only operation that will still use the devices\xe2\x80\x94have been\nseverely compressed. Address canvassing will undergo its final operational\ntest over an 8-day period, rather than the 3 months originally allotted in the\nplan for the retooled census. This operation is essential to, among other\nthings, successfully delivering questionnaires and giving temporary staff\naccurate addresses and maps for nonresponse follow-up. Dress rehearsal\ntesting of the operation\xe2\x80\x94which concluded in June 2007\xe2\x80\x94revealed serious\ntechnical problems. We question whether Census will have the time to\nresolve issues arising from the 8-day test, scheduled for December, before the\nstart of the 2010 operation. Training of address canvassers for the live\noperation commences in February 2009, leaving the bureau only a short\nperiod of time to fix any problems identified in this final test.\n\n\n\n\n                                      2\n\n\x0cU.S. Department of Commerce                                 Final Report OIG-19384\n\nOffice of Inspector General                                         November 2008\n\n\n\n\nHelp desk operations\xe2\x80\x94key to ensuring the handhelds function properly\nduring address canvassing\xe2\x80\x94are just now in the process of being redesigned.\nCensus is also taking over the regional census center communications\ninfrastructure, which under the contractor has experienced numerous\nproblems that must be resolved to ensure a successful 2010 count.\n\nMeanwhile, because of the inordinate attention and resources necessary to\naddress field automation problems, Census has been unable to address the\nreadiness of operations for enumerating some traditionally difficult groups\nand settings, such as the homeless, military bases, and group quarters\xe2\x80\x94it\ndropped plans to test these operations from the 2008 dress rehearsal, which\nmeans the actual decennial count will be the proving ground for these\noperations. Enumeration procedures it previously tested\xe2\x80\x94such as those\nplanned for American Indian reservations\xe2\x80\x94showed almost no effect on\nmitigating long-standing obstacles to producing an accurate count. Yet the\nbureau has had no time to develop and test possible improvements.\n\nFinally, the bureau must have a fingerprinting program in place prior to\nhiring the estimated 1.3 million temporary workers needed for field\noperations. Because the decision to fingerprint was made only recently,\nCensus faces significant risks in implementing this estimated $148 million\noperation.\n\nOrganizational culture contributed to problems\n\nThe Census Bureau\xe2\x80\x94particularly headquarters\xe2\x80\x94is an insular organization\nthat eschews open dialog with outside parties and even its own regional\noperations. As decennial census planning proceeded, the bureau minimized\nthe significance of its problems, withheld information, and was not\nforthcoming with the Department, Congress, OIG, and other oversight\nagencies about the problems it was experiencing. Perhaps the most egregious\nexample of the bureau\xe2\x80\x99s insularity was its lack of transparency about the\nFDCA problems, allowing them to persist to the point of crisis. It was not\nuntil January 2, 2008, after a news report in Government Executive of a\nleaked MITRE analysis raising numerous red flags, that the Department,\nOMB, Congress, and other stakeholders became aware of the dire condition of\nthe program. Presented to the then-deputy Census director in late November\n2007, the MITRE document concluded,\n\n       FDCA is in serious trouble. It is not clear the system will\n       meet Census\xe2\x80\x99 operational needs and quality goals. The\n       final cost is unpredictable. Immediate, significant changes\n       are required to rescue the program. However, the risks\n\n\n                                       3\n\n\x0cU.S. Department of Commerce                                  Final Report OIG-19384\n\nOffice of Inspector General                                          November 2008\n\n\n\n\n       are so large considering the available time that we\n       recommend immediate development of contingency plans\n       to revert to paper operations.\n\nThis was not MITRE\xe2\x80\x99s first warning. It had briefed the deputy director about\nthe FDCA problems in June 2007. When this briefing appeared to stimulate\nlittle action, MITRE prepared the November analysis. Less than 2 weeks\nafter the November warning, the then-bureau director testified to Congress\nthat the handheld computer was working well, and gave no indication of\nMITRE\xe2\x80\x99s concerns.\n\nIn the wake of the FDCA problems, the Secretary of Commerce announced\nthat management and oversight of the 2010 census would be strengthened\nand deepened both at the bureau and the Department. He assigned several\nmembers of the Department\xe2\x80\x99s senior political leadership to work with the\nbureau on a recovery plan, which has given the Secretary some measure of\ninfluence over the plan and visibility into the bureau\xe2\x80\x99s progress. The\nupcoming transition of key departmental leadership positions necessarily\ncreates the risk of disrupting existing oversight efforts for the most critical\nprogram for which the new Secretary will initially be accountable.\n\nThe Census Bureau prides itself on its \xe2\x80\x9ccan do\xe2\x80\x9d attitude and considers tenure\nthrough multiple decennial censuses a prerequisite for any senior decennial\nposition. Bureau staff views the decennial as so unique that there is little to\nbe learned from newcomers or external sources no matter how distinguished\nor knowledgeable.\n\nThis vision has left the bureau generally unreceptive to new ways of doing\nbusiness. It has not kept pace with private sector advances in business\nprocess improvement and lacks insight into how these advances can benefit\ncensus operations. In deciding to use handhelds for decennial field\nautomation\xe2\x80\x94viewed by the bureau as a huge operational transformation\xe2\x80\x94\nthe bureau showed little regard or appreciation for the time and effort\ninvolved in gaining buy-in for significant business process changes from\nCensus staff.\n\nLeadership with private sector expertise is vital not only for improving\ndecennial management but also for reappraising the bureau\xe2\x80\x99s other programs\nand administrative operations. Although the bureau made personnel changes\nafter the FDCA crisis became public, it has not yet brought in external\nmanagement with expertise in successfully running complex programs and\nsystem acquisitions or in implementing contemporary private sector\nmanagement methods. Both we and outside experts recommend such\n\n\n                                        4\n\n\x0cU.S. Department of Commerce                                  Final Report OIG-19384\n\nOffice of Inspector General                                          November 2008\n\n\n\n\nexperience as a necessary requirement for shoring up the bureau\xe2\x80\x99s\nmanagement weaknesses and combating its insularity. Since the Census\ndirector is a Presidential appointee, there is the prospect that the director\nposition will turn over again after the current director has been on the job for\nslightly more than 1 year. The inevitable delay involved in nominating and\ngaining confirmation of a new director means that the bureau will begin\nmajor decennial operations without the benefit of significant leadership\ncontinuity and management improvements. Given the major late-stage\nchanges to 2010 operations, having two short-time directors during the final\n2 years of the decennial cycle, coupled with the long-term absence of proven\nhigh-level management expertise, could create additional challenges the\nbureau must be poised to address.\n\nWith the first major decennial operation (address canvassing) beginning\nin early 2009, the new Secretary will have little opportunity to impact\nplanning for the 2010 decennial, although he or she will have responsibility\nfor its overall implementation. The new Secretary does have the opportunity\nto impact planning for the 2020 census. We believe that applying the lessons\nlearned from the 2010 decennial to the planning and reengineering of the\n2020 decennial should also be a high priority for the new Secretary.\n\nFor more information, view the documents below at www.oig.doc.gov:\n\nReports\n\xe2\x80\xa2\t 2010 Decennial Census: Dress Rehearsal of Address Canvassing Revealed\n   Persistent Deficiencies in Approach to Updating the Master Address File\n   (OSE-18599, October 2008)\n\xe2\x80\xa2\t 2010 Decennial Census: Census Should Further Refine Its Cost Estimate\n   for Fingerprinting Temporary Staff (OIG-19058-1, August 2008)\n\xe2\x80\xa2\t 2010 Decennial Census: OIG Reviews Through the Decade Identify\n   Significant Problems in Key Operations (OIG-19217, June 2008)\n\xe2\x80\xa2\t 2010 Census: Key Challenges to Enumerating American Indian\n   Reservations Unresolved by 2006 Census Test (OSE-18027, September\n   2007)\n\xe2\x80\xa2\t Enumerating Group Quarters Continues to Pose Challenges (IPE-18046,\n   October 2006)\n\xe2\x80\xa2\t Valuable Learning Opportunities Were Missed in the 2006 Test of Address\n   Canvassing (OIG-17524, March 2006)\n\nIn-Progress Reviews\n\xe2\x80\xa2\t Audit of the Field Data Collection Automation Contract Type and Award\n   Fee\n\xe2\x80\xa2\t OIG Reviews of Decennial Census in Response to Secretarial Request\n\n\n                                       5\n\n\x0cU.S. Department of Commerce                                         Final Report OIG-19384\n\nOffice of Inspector General                                                 November 2008\n\n\n\n\n2. Better Position the Department to Address Information Security\n   Risks\n\nAs in many federal agencies, putting             What Is Certification & Accreditation\nproper information security controls in                and Why Is It Important?\n\nplace has been an intractable problem       Certification is a comprehensive assessment of\n                                            security controls implemented in a computer system.\nat the Department of Commerce and a         It determines whether controls are implemented\nlong-standing item on OIG\xe2\x80\x99s watch list.     correctly, operating as intended, and meeting the\nDespite additional expenditures to          security requirements for the system. Through the\n                                            formal assessment of controls, the certifier identifies\nmitigate the problem, the Department        any vulnerabilities that have not been eliminated.\nhas reported information security as a      Accreditation is management\xe2\x80\x99s formal authorization\nmaterial weakness every year since FY       to allow a system to operate and its explicit\n2001.                                       acceptance of the risks posed by remaining\n                                            vulnerabilities. Through accreditation, senior agency\n                                            officials take responsibility for the security of\nThe Federal Information Security            systems they manage and for any adverse impacts\n                                            should a breach in security occur.\nManagement Act (FISMA) requires\nagencies to certify that their systems\nand data are protected with adequate, functioning security controls before\nauthorizing (accrediting) a system to operate. The reason for the material\nweakness at Commerce has been consistently inadequate certification and\naccreditation (C&A): year after year our FISMA reviews have found\nineffective C&A processes that do not adequately identify and assess needed\ncontrols and ultimately fail to assure that systems and data are protected.\n\nSecuring systems from cyber threats is clearly the most difficult piece of the\nchallenge, because these threats represent a moving target: they increase in\nnumber and sophistication almost daily. And as agencies incorporate wireless\nand other technologies to support their operations and workplace flexibilities,\nthey invite new risks that must be anticipated and mitigated.\n\nTo be effective in this environment, the Department\xe2\x80\x99s IT security program\nmust be proactive and fluid, staffed by IT security professionals who have the\nappropriate skills and experience to implement required security controls,\nassess their effectiveness, and anticipate and respond to emerging threats.\nThey also need appropriate security clearances to effectively deal with\npotential cyber attacks by hackers, terrorist groups, organized crime, and\nnation-states. We have found IT security personnel lack adequate\nunderstanding of the Department\xe2\x80\x99s IT security policy, NIST standards and\nguidance, and security technology, and therefore cannot appropriately apply\nthem. The Department cites lack of resources as a major impediment to\nimproving IT security.\n\n\n\n\n                                       6\n\n\x0cU.S. Department of Commerce                                Final Report OIG-19384\n\nOffice of Inspector General                                        November 2008\n\n\n\n\nCommerce has had some notable security incidents that underscore the\npotential for harm.\n\n   \xe2\x80\xa2\t The Bureau of Industry and Security, which processes sensitive export\n      license data, took one of its information systems off line in late 2006,\n      after discovering it had been hacked, and the agency still has only\n      limited Internet access. BIS reported that it reviewed firewall logs for\n      the 8 months prior to detecting the intrusion, but could not determine\n      how long the hackers were inside the system before their presence was\n      discovered.\n\n   \xe2\x80\xa2\t The Census Bureau was one of several federal agencies to report\n      hundreds of lost laptops potentially containing sensitive data. We\n      assessed whether the laptops had adequate security controls to prevent\n      unauthorized access. We determined they did not, and in fact could be\n      compromised with tools that were readily available on the Internet.\n      Census has since implemented full-disk encryption on its laptops to\n      protect sensitive information.\n\n   \xe2\x80\xa2\t This past spring, U.S. authorities investigated media reports that a\n      Commerce Department laptop carried on a foreign visit had been\n      compromised and whether hackers could have obtained information to\n      enable them to penetrate Commerce systems. Though the incident was\n      not substantiated, the concern of wider access to Commerce systems\n      reflects the core purpose and importance of effective C&A coupled with\n      a dynamic IT security program: together they ensure controls to\n      prevent such wider access are in place and constantly upgraded to\n      mitigate new threats.\n\nJoint OIG-Department plan, with focus on continuous monitoring of\nsecurity controls, is improving Commerce\xe2\x80\x99s security status\n\nWe have been working with the Department to eliminate the material\nweakness by the end of 2009 under a jointly developed plan that incorporates\nrealistic milestones and measurable steps for building consistent and\nrepeatable C&A practices. A key element of the strategy is continuous\nmonitoring of security controls. The National Institute of Standards and\nTechnology is updating its FISMA guidance to give greater emphasis to\ncontinuous monitoring as part of C&A. Continuous monitoring requires\nagencies to regularly assess and adjust their security controls to maintain or\nimprove protective measures on an ongoing basis.\n\n\n\n\n                                      7\n\n\x0cU.S. Department of Commerce                                  Final Report OIG-19384\n\nOffice of Inspector General                                          November 2008\n\n\n\n\nOur FY 2008 FISMA reviews noted improvements: we looked at nine systems\nand concluded that four of them (44 percent) were operating in compliance\nwith federal and Department requirements (compared with 33 percent in FY\n2007). Only one of the four had used an acceptable C&A process at the time of\nour review, but the remaining three showed subsequent improvements\nbecause of rigorous continuous monitoring activities.\n\nOur FY 2008 FISMA review also looked at two USPTO systems\xe2\x80\x94one\noperated by the agency and one operated by a contractor. USPTO, which\nreports on its performance separately from the Department, first reported a\nmaterial weakness in information security in FY 2002 because of inadequate\nC&A. With the exception of FY 2004 and FY 2005, USPTO has continued to\nreport the material weakness. Both of the systems we looked at this year had\ndeficient security plans, configuration settings, and security control\nassessments. Therefore, we concluded the IT security material weakness\nremains.\n\nUSPTO has initiated an effort to improve its C&As by having them verified\nand validated by an independent party before making the authorization\ndecision. Also, USPTO has implemented a process to better document\nsecurity control assessments and results, and continues to develop and refine\na set of common security controls applicable to all of its systems. We\ntherefore expect to see improvements in the future.\n\nCyber Security Management and Assessment Tool should strengthen\ncontinuous monitoring efforts\n\nThe Department has made progress toward implementing the Cyber Security\nAssessment and Management (CSAM) tool\xe2\x80\x94a software application developed\nby the Department of Justice that allows users to take a 360-degree approach\nto C&A\xe2\x80\x94they can input system information as they begin the C&A process,\nand, among other things, generate and implement a security plan that\ncomplies with FISMA requirements, analyze security requirements, and\ntrack resolution of vulnerabilities and the results of security control\nmonitoring. The systems we reviewed this year were certified and accredited\nwithout the benefit of the tool. But once fully integrated, the tool should bring\ngreater consistency to the C&A process across all Commerce bureaus,\nincluding USPTO, and give management greater visibility into it.\n\n\n\n\n                                       8\n\n\x0cU.S. Department of Commerce                             Final Report OIG-19384\n\nOffice of Inspector General                                     November 2008\n\n\n\n\nFor more information, view the documents below at www.oig.doc.gov:\n\nReports\n\xe2\x80\xa2\t FY 2008 FISMA Assessment of NWS Telecommunication Gateway System\n   (OSE-19000, September 2008)\n\xe2\x80\xa2\t FY 2008 FISMA Assessment of BEA Estimation Information Technology\n   System (OSE-19001, September 2008)\n\xe2\x80\xa2\t FY 2008 FISMA Assessment of Census Wireless Data Communications\n   General Support System (OSE-19163, September 2008)\n\xe2\x80\xa2\t FY 2008 FISMA Assessment of Field Data Collection Automation System\n   (OSE-19164, September 2008)\n\xe2\x80\xa2\t FY 2008 FISMA Assessment of NMFS Science and Technology System\n   (OSE-19165, September 2008)\n\xe2\x80\xa2\t FY 2008 FISMA Assessment of NWS International Satellite\n   Communications System (OSE-19166, September 2008)\n\xe2\x80\xa2\t FY 2008 FISMA Assessment of NESDIS Satellite Environmental\n   Processing System (OSE-19167, September 2008)\n\xe2\x80\xa2\t FY 2008 FISMA Assessment of Landon IP Information System (OSE-\n   19367, September 2008)\n\xe2\x80\xa2\t FY 2008 FISMA Assessment of Enterprise Remote Access System (OSE-\n   19368, September 2008)\n\xe2\x80\xa2\t FY 2007 FISMA Assessment of the Network Operations Center (OSE-\n   18688, September 2007)\n\xe2\x80\xa2\t FY 2007 FISMA Assessment of Client Services General Support System\n   (OSE-18690-1, September 2007)\n\xe2\x80\xa2\t FY 2007 FISMA Assessment of AESDirect Major Application (OSE-18690-\n   2, September 2007)\n\xe2\x80\xa2\t FY 2007 FISMA Assessment of Core Network General Support System\n   (OSE-18840, September 2007)\n\xe2\x80\xa2\t FY 2007 FISMA Assessment of Patent Search System\xe2\x80\x94Primary Search\n   and Retrieval (OSE-18841-1, September 2007)\n\xe2\x80\xa2\t FY 2007 FISMA Assessment of Project Performance Corporation General\n   Support System (OSE-18841-2, September 2007)\n\xe2\x80\xa2\t Progress Being Made in Certification and Accreditation Process, But\n   Authorizing Officials Still Lack Adequate Decision-making Information\n   (OSE-19019, September 2006)\n\xe2\x80\xa2\t SARSAT\xe2\x80\x99s E-Authentication Controls Do Not Provide Adequate Assurance\n   of Users\xe2\x80\x99 Identities (OSE-1820, September 2006)\n\nIn-Progress Review\n\xe2\x80\xa2\t FY 2009 FISMA Assessment of the Bureau of Industry and Security\xe2\x80\x99s IT\n   Infrastructure System\n\n\n\n                                    9\n\n\x0cU.S. Department of Commerce                                           Final Report OIG-19384\n\nOffice of Inspector General                                                   November 2008\n\n\n\n\n3. Effectively Manage the Development and Acquisition of NOAA\xe2\x80\x99s\n   Two Environmental Satellites\n\nNOAA is modernizing its environmental monitoring capabilities, spending\nbillions of dollars on two satellite systems that provide critical data: the\nNational Polar-Orbiting Operational Environmental Satellite System\n(NPOESS) and Geostationary Operational Environmental Satellite-R Series\n(GOES-R). Space acquisitions like NPOESS and GOES-R are highly technical\nand complex and have a history of cost overruns, schedule delays, and\nperformance failures. The costs and schedules of both of these systems have\nsignificantly increased since the projects commenced. They therefore require\ncareful oversight to minimize any further disruption and to prevent any gaps\nin satellite coverage\xe2\x80\x94a situation that could have serious consequences for\nthe safety and security of the nation.\n\n                     The $12.5 billion NPOESS project will provide continuous\n                     weather and environmental data for longer term weather\n                     forecasting and climate monitoring through the coming 2\n                     decades.1 The initial project plan called for the purchase\n                     of six satellites at a cost of $6.5 billion, with a first launch\n                     in 2008. But problems with a key sensor\xe2\x80\x94the\n                     Visible/Infrared Imager Radiometer Suite (VIIRS)\xe2\x80\x94were\n                     a major contributor to the increase in estimated cost,\n                     even as the number of satellites was reduced to four and\nthe first launch pushed back to 2013. Recent analysis indicates that the $12.5\nbillion estimate could substantially increase in the near future.\n\nThe $7.7 billion GOES-R2 system will offer an\nuninterrupted flow of high-quality data for short-range\nweather forecasting and warning, and climate research\nthrough 2028. An inadequate acquisition and\nmanagement process contributed to underestimated\ncosts for GOES-R and planned satellite capabilities that\nwere too ambitious. As a result, the projected cost of GOES-R has increased\nfrom $6.2 billion to $7.7 billion, a major sensor has been removed, and the\nnumber of satellites to be purchased has decreased from four to two.3\n\n\n1\n  The cost of the NPOESS program is shared equally by NOAA and the Department of Defense.\n2\n  The GOES series of satellites have, since 1975, provided the United States with critical\nmeteorological data for weather observation, research, and forecasting. Satellites in\nproduction are given letter designations, which are changed to numbers after reaching orbit.\n3\n  An option for two additional satellites is included in the contract.\n\n\n\n                                             10 \n\n\x0cU.S. Department of Commerce                                                  Final Report OIG-19384\n\nOffice of Inspector General                                                          November 2008\n\n\n\n\nReining in additional costs and delays in both programs requires very specific\naction and vigilant oversight. For NPOESS, the three agencies developing the\nsystem\xe2\x80\x94NOAA, NASA, and the Department of Defense\xe2\x80\x94must (1) control\nand resolve the continuing problems with VIIRS, and (2) improve triagency\ndecision making.\n\nFor GOES-R, NOAA needs to (1) work closely with the Department to ensure\nit follows best practices in overseeing the acquisition while awaiting\ndevelopment of formal Commerce oversight polices and procedures, and\n(2) work with Congress to update the baseline life-cycle cost estimate used in\nits annual reporting on the satellite system.\n\nContinuing VIIRS problems jeopardize NPOESS mission\n\nDespite scaling back the program in 2007, NOAA reports continuing\nproblems with VIIRS development, among them that the subcontractor has\nsacrificed quality to meet the schedule, failed to follow rigorous development\nand test procedures, and still does not have a permanent project team. The\nprimary contractor for NPOESS has been unable to correct these problems.\nSo an integrated program office team will work on-site with the subcontractor\nto help finish VIIRS development. An independent review team is\ninvestigating alternatives in the event VIIRS cannot be built successfully. If\nthese problems are not resolved with some expediency, it could mean further\ndelay for the launch of a pilot mission to test the new VIIRS instrument and\nmay result in gaps in data coverage. Because NPOESS is the only source of\ncritical weather and environmental data, it is especially important that\nVIIRS problems be resolved and congressional confidence in and support of\nthe program maintained.\n\nOversight structure has not been an effective mechanism for decision\nmaking\n\nAs joint project sponsors, NOAA, NASA, and Defense have direct oversight\nfor the program through a triagency committee comprised of senior officials\nfrom each agency, but the committee has limited decision-making authority.\nFor example, key acquisition documents initiated in June 2006 to formalize\nfundamental aspects of NPOESS management, testing, and cost, schedule,\nand performance baselines have not yet been finalized because their\nacceptance must be coordinated at higher agency levels.4 NOAA is forming an\nindependent review team to assess, among other things, the effectiveness of\n\n4\n The four key documents not yet signed are the NPOESS Tri-Agency Memorandum of Agreement,\nAcquisition Program Baseline, Acquisition Strategy Report, and Test and Evaluation Master Plan.\n\n\n                                                 11 \n\n\x0cU.S. Department of Commerce                                        Final Report OIG-19384\n\nOffice of Inspector General                                                November 2008\n\n\n\n\nthe triagency management structure. The team plans to report preliminary\nfindings in January 2009. The challenge for NOAA is to gain consensus\namong its partners on how to make the committee a responsive decision-\nmaking body.\n\nNOAA and the Department need to follow accepted oversight\nprocedures for the GOES-R acquisition\n\nGOES-R is wholly funded by Commerce, though the satellites will be\ndeveloped and acquired jointly with NASA. The structure of the program has\nintroduced a new element of risk: NOAA now has the lead management role\nover the entire program (ground and space segments)5 for the first time,\ngiving the Department direct oversight responsibility as well. Our evaluation\nin 2007 found that significant weaknesses in oversight during earlier phases\nof the program led to the cost increases and schedule delays. Because\nGOES-R was not using an accepted life-cycle process, oversight officials were\nleft without sufficient decision-making information. To address this problem\nwe recommended, among other things, that the Department overhaul its\nmajor systems acquisition policy and NOAA identify how NASA management\nand oversight procedures would be followed for the entire program. NOAA\nand the Department took several significant actions in response to our\nreview. NOAA finalized a GOES-R management control plan, which\ndescribes how NASA procedures will be applied, the Secretary delegated\nauthority for key decisions to NOAA, and the Department has been working\non a new major systems acquisition policy. However, the policy may not be\nready before award of the GOES\xe2\x80\x93R space and ground segment contracts in\nDecember 2008 and May 2009. In the absence of a revised policy, NOAA\nneeds to work with the Department to develop effective interim oversight\nprocedures prior to the planned awards.\n\nNOAA needs to work with congressional committees on GOES-R\nreporting\n\nThe Mikulski Amendment to the 2008 Consolidated Appropriations Act\nrequires NOAA to notify Congress6 should GOES-R costs increase by\n20 percent or more over the established baseline. However, the baseline used\nin the amendment is the cost estimate reported in NOAA\xe2\x80\x99s FY 2008\npresidential budget request ($6.9 billion). At that point, too little was known\nabout the GOES-R program to develop a reliable estimate. Since that time,\n5\n In prior NOAA-NASA satellite programs, NASA managed the space segment.\n6Notification is to be made to the Senate Committee on Appropriations and Committee on\nCommerce, Science, and Transportation; and the House Committee on Appropriations and\nCommittee on Science and Technology.\n\n\n                                           12 \n\n\x0cU.S. Department of Commerce                                 Final Report OIG-19384\n\nOffice of Inspector General                                         November 2008\n\n\n\n\nthe acquisition approach has been changed, the performance capabilities\nhave been redefined, and the design has been refined, which resulted in the\ncurrent $7.7 billion estimate. This projection is a more realistic and reliable\nbaseline: it was developed in close collaboration with NASA, with guidance\nfrom a highly qualified independent review team, and with the benefit of an\nindependent cost estimate. Although the current estimate does not breach\nthe act\xe2\x80\x99s 20 percent cost growth threshold, NOAA should work with Congress\nto reestablish the baseline at the new, more realistic level.\n\nFor more information, view the documents below at www.oig.doc.gov:\n\nReports:\n\xe2\x80\xa2\t Successful Oversight of GOES-R Requires Adherence to Accepted Satellite\n   Acquisition Practices (OSE-18291, November 2007)\n\xe2\x80\xa2\t Poor Management Oversight and Ineffective Incentives Leave NPOESS\n   Program Well Over Budget and Behind Schedule (OIG-17794, May 2006)\n\n\n\n\n                                      13 \n\n\x0cU.S. Department of Commerce                                 Final Report OIG-19384\n\nOffice of Inspector General                                         November 2008\n\n\n\n\n4. Establish a Safety Culture at NIST\n\nA June 2008 plutonium spill at the National Institute of Standards and\nTechnology\xe2\x80\x99s Boulder, Colorado, laboratory raised serious concerns about\nNIST\xe2\x80\x99s ability to perform state-of-the-art research with radioactive and other\ndangerous materials while protecting the safety of workers and the\ncommunity at large.\n\nThe plutonium spill was one of several incidents reported at NIST labs in the\npast few years that have revealed management flaws and a lax safety culture\nat the agency. But it was by far the most serious in terms of the potential for\nwidespread harm.\n\nTrace amounts of the material were subsequently found in the urine of\nseveral lab employees, but fortunately at levels too low to be dangerous.\nMoreover, small amounts of the material were discharged inappropriately\ninto a laboratory sink and into restroom sinks. There is no evidence yet that\nany of the material reached the Boulder sewer system, but NIST has had to\nclose the lab for decontamination\xe2\x80\x94a process that NIST estimates will cost\napproximately $2.5 million with a scheduled completion date of April 2009.\nThe time and cost required to fix the spill\xe2\x80\x99s underlying causes will likely be\nmuch greater.\n\nSpill exposed weaknesses in NIST\xe2\x80\x99s safety management that must be\ncorrected\n\nThe plutonium spill prompted a series of reviews by independent health and\nsafety experts, the Department of Energy, and NIST\xe2\x80\x99s Ionizing Radiation\nSafety Committee, all of which shared a common finding\xe2\x80\x94a commitment to\nsafety at NIST Boulder is seriously lacking.\n\nThe Department of Energy found, among other things, that NIST had not\nestablished a safety management system or protocols. Safety roles and\nresponsibilities were poorly defined, and the labs did not have the staff\nexpertise to understand and analyze exposures to hazardous materials.\n\nAn independent reviewer noted that Boulder management does not consider\nsafety to be its responsibility, but rather that of internal health and safety\nstaff. And this staff had been told that safety must not interfere with\ncreativity. One manager conveyed his misplaced sense of responsibility\nduring an annual safety walk-through by talking on his cell phone rather\nthan paying attention to conditions in the lab.\n\n\n\n                                      14 \n\n\x0cU.S. Department of Commerce                                          Final Report OIG-19384\n\nOffice of Inspector General                                                  November 2008\n\n\n\n\nIn addition, the circumstances under which the spill occurred are evidence\nthat safety is not a core value: a guest researcher was allowed to work alone\nwith the plutonium after normal business hours even though he had no\ntraining in handling radioactive materials.\n\nNIST\xe2\x80\x99s management structure has not supported a safety culture\n\nIn its FY 2006 annual report on NIST\xe2\x80\x99s strategic direction, performance, and\npolicies, the Visiting Committee on Advanced Technology7 noted\ninconsistencies in safety procedures across NIST laboratories, and stated that\n\xe2\x80\x9cSafety is a leadership activity that senior NIST leadership must be actively\ninvolved in.\xe2\x80\x9d In principle, NIST management is committed to safety. But as a\npractical matter safety has not been a clearly delineated function within its\norganizational structure, and this contributed to the numerous lapses that\noccurred leading up to the spill.\n\nThe director\xe2\x80\x99s position at Boulder had no line management authority for staff\nat the campus. In effect, then, at the time of the spill, no one on-site had\noverall management responsibility for the safety of the work being conducted\nin Boulder or for managing the response to the incident. The then-director of\nthe Boulder campus put it simply: \xe2\x80\x9cNo one was in charge.\xe2\x80\x9d\n\nNIST Boulder had only recently received permission to work with plutonium.\nThere was no systematic, integrated management process for analyzing and\npreparing for the risks associated with this new work, for strictly managing\nthe material once it arrived, for dedicating lab space to radioactive materials\nresearch, for ensuring personnel were properly trained to work with the\nplutonium, or for responding to related emergencies. Though NIST has issued\na number of safety protocols over the years, such as the Laboratory Safety\nManual and Safety Operation System, managers and staff at Boulder were\nnot involved in developing them, were generally unfamiliar with their\nrequirements, and often viewed them as voluntary guidelines. The lab was\neven found to be potentially noncompliant with several required federal and\nindustry safety standards.\n\nAn analysis of Boulder safety staffing conducted by the on-site safety office\nfound that NIST would need 13 full-time workers to properly perform safety\nfunctions it currently handles with only 5. At present, NIST addresses this\nstaffing deficiency by simply deferring many safety tasks and by requiring\n\n7The Visiting Committee on Advanced Technology was established by the Omnibus Trade\nand Competitiveness Act of 1988. The committee reviews and makes recommendations\nregarding general policy for NIST, its organization, its budget, and its programs to the\nSecretary of Commerce and Congress.\n\n\n                                            15 \n\n\x0cU.S. Department of Commerce                                  Final Report OIG-19384\n\nOffice of Inspector General                                          November 2008\n\n\n\n\nstaff to work significant amounts of overtime\xe2\x80\x94which could cause employee\nfatigue and indirectly result in more accidents.\n\nNIST facilities must comply with safety requirements\n\nThe plutonium spill and the subsequent revelations regarding NIST\xe2\x80\x99s lax\nsafety culture are particularly disturbing in light of the agency\xe2\x80\x99s\ninternational reputation as a world-class scientific organization. Yet rather\nthan modeling best practices, NIST\xe2\x80\x99s lax approach to safety increases risks to\nthe agency and the greater community.\n\nTwo studies conducted by NIST have identified a backlog of more than\n$500 million in facility maintenance and repair requirements. A 2004 study\nfound $458 million in deficiencies at NIST\xe2\x80\x99s Gaithersburg campus and a 2008\nstudy identified $48 million in deficiencies at Boulder. Many of the items\nrelate directly to safety. NIST noted that it should be investing at least $50\nmillion to $70 million annually to bring its facilities to a \xe2\x80\x9cfair\xe2\x80\x9d condition and\nstay ahead of further deterioration. According to the Department, NIST\nreceived $32 million for facilities in FY 2008.\n\nIt is clear from the circumstances surrounding the plutonium incident and\nsubsequent revelations that, at a minimum, NIST must make safety a\nprimary concern at all organizational levels and strictly comply with all\nfederal requirements and industry standards. It must establish and enforce\nstringent policies and procedures for handling hazardous materials and strict\nlines of accountability for implementing them.\n\nAt the request of the Deputy Secretary, the Office of Inspector General is\nreviewing safety at NIST, with a specific focus on the agency\xe2\x80\x99s management\nstructure as it relates to safety, as well as its policies and procedures for\nhandling radioactive materials. We are examining NIST\xe2\x80\x99s systems for\nidentifying safety resource requirements, allocating resources to safety, and\naddressing safety requirements in planning and budgeting for its work.\n\nFor more information, view the documents below at www.oig.doc.gov:\n\nIn-Progress Reviews\n\xe2\x80\xa2\t    OIG Review of NIST Management Structure and Safety and Training\n      Systems in Response to Deputy Secretary Request\n\xe2\x80\xa2\t    Joint OIG/Nuclear Regulatory Commission Investigation of NIST\xe2\x80\x99s\n      Compliance with its Special Nuclear Materials License\n\n\n\n\n                                       16 \n\n\x0cU.S. Department of Commerce                                Final Report OIG-19384\n\nOffice of Inspector General                                        November 2008\n\n\n\n\n5. Ensure NTIA Effectively Carries Out Its Responsibilities Under\n   the Digital Television Transition and Public Safety Act\n\nThe Digital Television Transition and Public Safety Act of 2005 assigned the\nNational Telecommunications and Information Administration responsibility\nfor implementing a $2.5 billion initiative for the conversion to digital\ntelevision and improvements to public safety communications. The act\nauthorizes NTIA to use $1.5 billion to support the nation\xe2\x80\x99s February 2009\nswitch to all-digital broadcasting by offering coupons toward the purchase\nprice of converter boxes that will enable analog television viewers to receive\ndigital programming.\n\nA primary purpose of the switch to digital television is to free up radio\nfrequencies for advanced wireless emergency communications at state and\nlocal levels, thus improving the ability of first responders to communicate\nwith one another during emergencies. The act authorizes NTIA to provide\napproximately $1 billion in grants for public safety interoperable\ncommunications (PSIC) projects in all 50 states, the District of Columbia, and\nthe U.S. territories\xe2\x80\x94a total of 56 entities. This is a significant undertaking\nfor NTIA, whose prior experience administering grants has been with two\nsmall programs: the Public Telecommunications Facilities Program, whose\nFY 2008 funding availability was just $16.8 million, and the discontinued\nTechnology Opportunities Program, which issued a total of $233 million in\ngrants during its 10-year span (1994-2004).\n\nThe authorizing legislation requires NTIA to coordinate with the Department\nof Homeland Security in administering the PSIC program and set a statutory\ndeadline of September 30, 2010, to expend grant funds. Subsequent\nlegislation set a statutory deadline of September 30, 2007, for the award of\ngrants.\n\nConverter Box Coupon Program is progressing with few problems, but\nclose oversight must be maintained\n\nNTIA has made substantial progress in helping prepare television viewers for\nthe switch to digital broadcasting: in August 2007 it contracted with IBM to\nprovide certain services to implement the $1.5 billion Converter Box Coupon\nProgram. The program offers up to two $40 coupons per household to offset\nthe purchase price of the boxes, which will enable consumers who rely on\nanalog signals for television reception to receive digital broadcasts after\nFebruary 17, 2009. NTIA had issued more than 26 million coupons as of\nSeptember 30, 2008, and redeemed 10 million of them. Although television\n\n\n\n                                      17 \n\n\x0cU.S. Department of Commerce                                  Final Report OIG-19384\n\nOffice of Inspector General                                          November 2008\n\n\n\n\nstations will cease analog broadcasting on February 17, consumers can\nrequest coupons until March 31, 2009, or while supplies last.\n\nMaintaining strict accountability for funds in a program of this type and size\nrequires careful oversight and strong internal controls to guard against\nfraud, waste, and abuse among retailers and to ensure the program is\nproperly closed out by September 2009, as required by the act. Potential\nfraud schemes include selling the free coupons to consumers, or retailer\nredemption of coupons for converter boxes that were not provided. NTIA has\nnot yet discovered any egregious instances of waste, fraud, and abuse, but\nhas decertified 16 retailers for violating program rules.\n\nAs the program moves toward completion, NTIA should continue to update\nand strengthen its internal controls to reflect evolving program requirements\nand circumstances, such as recent program rule changes that make coupons\navailable to residents of nursing homes, intermediate care facilities, assisted\nliving facilities, and households that use a post office box for residential mail\ndelivery. Based on its own analysis, NTIA believes it is prepared to handle a\nsignificant uptick in coupon demand as the transition date approaches.\n\nAlthough administering the coupon program is NTIA\xe2\x80\x99s primary role, the act\nauthorizes the agency to use up to $5 million for outreach and education to\nensure that consumers know about both the digital TV transition and the\ncoupons. NTIA has targeted geographic areas and demographic groups that\nhave the highest percentage of analog-only households. The outreach strategy\nprovides for intensified publicity at critical points in the conversion, such as\nthe approach of the February 17, 2009, switch and the March 31 deadline for\ncoupon requests. However, there are bound to be households that do not get\nthe message in time and find themselves without television reception on\nFebruary 17. Although the Federal Communications Commission (FCC) has\nprimary responsibility for consumer education and outreach, NTIA should\ncontinue to work with stakeholders, including representatives of at-risk\ngroups, to ensure a smooth transition to digital television.\n\nGrantees may not be able to complete projects within the legislation\xe2\x80\x99s\nshort funding time frame\n\nThe PSIC program is a one-time grant opportunity to target specific funds\nand resources toward improving the interoperability of local and state voice\nand data communications. But grantees are moving slowly, and whether they\ncan complete their projects by the statutory deadline of September 30, 2010,\nis questionable.\n\n\n\n                                       18 \n\n\x0cU.S. Department of Commerce                                      Final Report OIG-19384\n\nOffice of Inspector General                                              November 2008\n\n\n\n\nAs of September 2008, grantees had spent less than 1.5 percent of the\navailable $1 billion, which leaves them only 2 years to complete their projects\nor lose funding. But many of the projects involve activities that could take\nmuch longer: GAO found that acquiring and deploying interoperable\ncommunications equipment and infrastructure in similar Homeland Security\ngrants programs was slowed by state-imposed legal and procurement\nrequirements.8 These could also impact the PSIC program, as well as other\nconsiderations: for example, PSIC grantees may need to obtain FCC licenses\n\xe2\x80\x94a process that can take months\xe2\x80\x94before they can erect communications\ntowers to support interoperability. Time must also be factored in for training\nresponders to use the systems once they are up and running. Under PSIC\xe2\x80\x99s\nauthorizing statutes, money not spent within the 3-year term will be\nreturned to the Treasury.\n\nIn September and October 2008 we contacted 22 grantees, including 19 of the\n20 receiving the largest grants. Only one of the 22 grantees stated that it\nplans to acquire most of its interoperable communications equipment within\nthe next 6 months. Eight of the 22 stated that they are in the early stages of\nplanning their acquisitions. The other 13 will start acquiring most of their\ninteroperable communications equipment in late FY 2009 or possibly in the\nbeginning of FY 2010. Given all that must follow the purchase of\nequipment\xe2\x80\x94installation, operational testing, and training, at a minimum\xe2\x80\x94\ngrantees who are still in the acquisition stage as late as FY 2010 face the\nvery real possibility of arriving at the program\xe2\x80\x99s September 30 deadline with\npartially completed projects but without funding to finish them out.\n\nNTIA must consider options for ensuring the program achieves its\nobjectives\n\nPart of the reason for the grantees\xe2\x80\x99 slow start is the way the PSIC awards\nprocess worked. Because of the September 30, 2007, award deadline imposed\nby the Call Home Act of 2006, PSIC awards preceded approval of individual\nproject plans and release of funds. This was unlike other Commerce grants\nprograms, which award grants competitively, based on the merit of a project\xe2\x80\x99s\nproposal. As a result, many recipients spent the first year of the 3-year grant\nperiod developing plans, obtaining their approval, and awaiting availability\nof funds.\n\n\n\n8U.S. Government Accountability Office, March 11, 2008. Homeland Security: DHS\nImproved its Risk-Based Grant Programs\xe2\x80\x99 Allocation and Management Methods, But\nMeasuring Programs\xe2\x80\x99 Impact on National Capabilities Remains a Challenge, GAO-08-488T.\nWashington, D.C.\n\n\n                                          19 \n\n\x0cU.S. Department of Commerce                                  Final Report OIG-19384\n\nOffice of Inspector General                                          November 2008\n\n\n\n\nNTIA should expeditiously identify grantees that are at high risk of not\nmeeting the statutory deadline for completing their projects, give them the\ntechnical assistance they need to accelerate the process, carefully monitor\ntheir progress, and keep Congress informed of the PSIC program\xe2\x80\x99s status\ntoward achieving its objectives. If any entities seem still unlikely to meet the\ndeadline, NTIA should work with Congress to extend it.\n\nFor more information, view the documents below at www.oig.doc.gov:\n\nIn-Progress Reviews\n\xe2\x80\xa2\t NTIA Should Further Improve Digital-to-Analog Converter Box Coupon\n   Program Internal Controls to Prevent Fraud, Waste, and Abuse\n   (CAR-19004-1, draft October 2008, final estimated November 2008)\n\xe2\x80\xa2\t First Annual Assessment of Public Safety Interoperable Communications\n   Grants (DEN-19003, draft estimated November 2008, final estimated\n   January 2009)\n\xe2\x80\xa2\t Audits of Public Safety Interoperable Communications Grants for\n   Arkansas, Louisiana, Pennsylvania, and Nevada.\n\n\n\n\n                                       20 \n\n\x0cU.S. Department of Commerce                                Final Report OIG-19384\n\nOffice of Inspector General                                        November 2008\n\n\n\n\nOther Issues Requiring Significant Management Attention\n\nSeveral other Commerce operations and activities present distinct challenges,\nand their resolution is essential to the Department\xe2\x80\x99s sound management and\nmission success. The first\xe2\x80\x94acquisition management\xe2\x80\x94has ramifications\nDepartment-wide. The remaining three\xe2\x80\x94though agency-specific\xe2\x80\x94have a\ndirect bearing on U.S. economic strength and competitiveness, environmental\nprotection, or national security.\n\nWeaknesses in the Department\xe2\x80\x99s Acquisition Oversight and\nAcquisition Workforce\n\nAcquisition and contract management has been a consistent watch list item\nfor inspectors general and GAO, as related government spending has\nballooned in recent years. Spending on contracts government-wide, for\nexample, has more than doubled since 2000\xe2\x80\x94from $208 billion to $430 billion\nin FY 2007\xe2\x80\x94while the federal acquisition workforce has remained fairly\nconstant: roughly the same number of skilled professionals now oversee more\nthan twice as many federal contract dollars as they did 7 years ago, and the\nprojects they support have greatly increased in complexity and risk.\n\nShortfalls and failures in major systems acquisitions are all too common in\nfederal programs. And contracts of all sizes and complexity are at risk for\nfraud and waste because of poor oversight and lax controls.\n\nOver the next 2 years, the Department of Commerce will spend an average of\napproximately $3 billion annually on goods and services. The 2010 decennial\ncensus and two critical NOAA satellite systems will account for roughly a\nthird of these annual expenditures. All three of these programs have already\nsuffered significant cost overruns and schedule delays because of poor\nacquisition management.\n\nThe Department does not have coherent policies to guide systems acquisition\nor effective oversight mechanisms, and these failings were major contributors\nto the problems we identified with NOAA\xe2\x80\x99s GOES-R satellite program and\nthe Census Bureau\xe2\x80\x99s Field Data Collection Automation contract. It also lacks\na sufficient amount of skilled contracting and project management\nexpertise\xe2\x80\x94a problem all federal agencies are grappling with. Hiring and\nretaining a skilled acquisition workforce has been difficult, and the\ncompetition stiff. Commerce has a limited number of contracting specialists\nto meet its multibillion-dollar workload. It has no reliable count of its\nprogram and project managers or contracting officer\xe2\x80\x99s technical\n\n\n\n                                     21 \n\n\x0cU.S. Department of Commerce                                 Final Report OIG-19384\n\nOffice of Inspector General                                         November 2008\n\n\n\n\nrepresentatives, although skilled professionals in these positions are also at a\npremium.\n\nThe Department is working to address these problems, but the process is\nslow and in its early stages. Commerce is strengthening acquisition and\ncontracting by updating its antiquated policies and procedures to promote\nmore effective planning, implementation, and oversight. It is also taking\nsteps to make better use of its oversight bodies\xe2\x80\x94the Acquisition Review\nBoard and the Commerce Information Technology Review Board\xe2\x80\x94and to\nintegrate their activities, to ensure acquisition plans are appropriate, and\nprograms and contracts are reviewed at key decision points in their life cycle.\n\nBut success in these efforts will not be enough to improve the Department\xe2\x80\x99s\noverall acquisition operations without commensurate success in hiring and\nretaining a qualified acquisition workforce. The pool of applicants for these\njobs is not large, and the looming retirement of some 50 percent of the\ncurrent federal acquisition workforce over the next 10 years may well push\nshortages beyond the critical point.\n\nOMB, the Federal Acquisition Institute, and the Office of Personnel\nManagement recently launched the Federal Acquisition Intern Coalition to\nattract interest in federal contracting among college students. The\nDepartment needs a comprehensive human capital strategy that (1) taps into\nsuch recruiting initiatives, (2) explicitly defines what acquisition skills and\ncompetencies it needs and how they will evolve over the short- and long-term,\nand (3) offers professional development and other incentives to attract and\nkeep qualified candidates.\n\nFor more information, view the documents below at www.oig.doc.gov:\n\nReports\n\xe2\x80\xa2\t The Office of Acquisition Management Has Not Implemented New\n   Contracting Policies in a Timely Manner (IPE-19045, June 2008)\n\xe2\x80\xa2\t The National Data Buoy Center Should Improve Data Availability and\n   Contracting Practices (IPE-18585, May 2008)\n\xe2\x80\xa2\t Successful Oversight of GOES-R Requires Adherence to Accepted Satellite\n   Acquisition Practices (OSE-18291, November 2007)\n\nIn-Progress Reviews\n\xe2\x80\xa2\t Audit of the Field Data Collection Automation Contract Type and Award\n   Fee\n\n\n\n\n                                       22 \n\n\x0cU.S. Department of Commerce                                 Final Report OIG-19384\n\nOffice of Inspector General                                         November 2008\n\n\n\n\nUSPTO\xe2\x80\x99s Long and Growing Patent Processing Times, and Its\nFinancing Vulnerabilities\n\nThe efficiency with which the U.S. Patent and Trademark Office processes\npatent applications has a direct bearing on how well it achieves its mission of\npromoting U.S. competitiveness. Meeting the demand for new patents in a\ntimely manner has been a long-standing challenge for USPTO. Increases in\nboth the volume and complexity of patent applications have lengthened\napplication processing times and backlogs dramatically. In 2004, USPTO had\na patent backlog of nearly a half-million applications and average processing\ntimes of 27 months. By 2007, processing times averaged nearly 32 months,\nwith wait times for communications-related patents as long as 43 months. As\nof September 30, 2008, USPTO reported a backlog of 750,596 applications\nand estimated that the backlog will exceed 860,000 by September 2011.\nUSPTO needs to reverse the upward trend and continue to implement\nmeasures discussed in its 2007-2012 strategic plan that have a significant\nimpact on reducing the backlog, such as shortening application review times,\nimproving examiner error rates, and hiring, training, and retaining skilled\nexaminers.\n\nUSPTO\xe2\x80\x99s unique financing structure also presents challenges. There is a\ncomplex relationship between the number of patent applications filed, the\nsize of the application backlog, the number of patents issued, and the fees\nUSPTO collects in connection with the patent process. The agency uses fees\ncollected today to pay for patent applications filed and examined in prior\nyears. With the backlog growing, processing times increasing, and the\nnumber of patents issued flattening, this method of financing could become\nincreasingly risky. The current model for financing USPTO\xe2\x80\x99s critical mission\nwarrants attention to ensure that it will continue to provide sufficient\nfunding to process all backlogged applications as well as any newly filed.\n\nFor more information, view the document below at www.oig.doc.gov:\n\nIn-Progress Reviews\n\xe2\x80\xa2 Audit of USPTO\xe2\x80\x99s Quality Assurance Process\n\n\n\n\n                                      23 \n\n\x0cU.S. Department of Commerce                                Final Report OIG-19384\n\nOffice of Inspector General                                        November 2008\n\n\n\n\nNOAA\xe2\x80\x99s Ability to Conserve the Nation\xe2\x80\x99s Fragile Oceans and Living\nMarine Resources While Ensuring a Vital U.S. Commercial Fishing\nIndustry\n\nAccording to NOAA, 3.5 million square miles of our coastal and deep ocean\nwaters and the Great Lakes support over 28 million jobs\xe2\x80\x94one of every six\xe2\x80\x94\nin the United States, and the value of the U.S. ocean economy tops\n$115 billion. But these economic benefits come at great cost as the health of\nour oceans and coastal ecosystems continues to decline in the face of\nincreasing coastal development, pollution, overfishing, and the destructive\nimpact of invasive species.\n\nCharged with maintaining and improving the viability of marine and coastal\necosystems while supporting global marine commerce and transportation,\nNOAA manages a significant portion of the federal government\xe2\x80\x99s investment\nin living marine resources. It faces difficult challenges in promoting the\nhealth of these resources while ensuring they sustain the vital economic\nbenefits we derive from them.\n\nIn January 2007, the President signed the reauthorized Magnuson-Stevens\nFishery Conservation and Management Act, which requires annual catch\nlimits, an end to overfishing by 2011, and better integration of fishery\nmanagement planning with national environmental review procedures to\nensure the environmental impacts of any significant ocean activity under\nconsideration are thoroughly vetted. The challenge for NOAA will be to\nimplement these new requirements in a manner that improves the status of\nour marine resources without undermining the health of the U.S. fishing\nindustry. To fulfill its mandates for living marine resources, NOAA also\nneeds to take action to rebuild populations of protected species, conserve\nimportant habitats, and undertake the science programs necessary to\nimprove its understanding of complex marine ecosystems.\n\nFor more information, view the documents below at www.oig.doc.gov:\n\nReports\n\xe2\x80\xa2\t National Marine Sanctuary Program Protects Certain Resources, But\n   Further Actions Could Increase Protection (IPE-18591, February 2008)\n\xe2\x80\xa2\t NOAA\xe2\x80\x99s Management of the Joint Enforcement Agreement Program\n   Needs to Be Strengthened (IPE-19050-1, September 2008)\n\n\n\n\n                                      24 \n\n\x0cU.S. Department of Commerce                             Final Report OIG-19384\n\nOffice of Inspector General                                     November 2008\n\n\n\n\nIn-Progress Reviews\n\xe2\x80\xa2\t Audit of NOAA\xe2\x80\x99s Direct Loan Program\n\xe2\x80\xa2\t Review of Allegations that NMFS\xe2\x80\x99 Northeast Region Is Not Using the Best\n   Available Science in Management Decisions\n\n\n\n\n                                    25 \n\n\x0cU.S. Department of Commerce                                Final Report OIG-19384\n\nOffice of Inspector General                                        November 2008\n\n\n\n\nBIS\xe2\x80\x99 Setbacks in Modernizing Its Obsolete Information Technology\nInfrastructure to Strengthen the Dual-Use Export Control System\n\nIn January 2007, GAO added the Bureau of Industry and Security\xe2\x80\x99s dual-use\nexport control system to its government-wide high-risk list. One of the key\nchallenges facing BIS in ensuring that the dual-use export control system is\nproperly equipped to advance U.S. national security, foreign policy, and\neconomic interests is the replacement of its obsolete Export Control\nAutomated Support System (ECASS). BIS\xe2\x80\x99 core export administration and\nenforcement business processes are directly supported by ECASS.\nApproximately 450 federal staff and 28,000 exporters currently use the\nsystem. However, the database structure\xe2\x80\x94originally deployed in 1984\xe2\x80\x94is\ncomplex and no longer supported by the technology industry. The effort to\nmodernize ECASS began in 1996, but the project has been underfunded and\nbeset by technical problems and schedule slips that current management has\nbeen attempting to address in a budget-constrained environment.\n\nThe current projected completion date for the ECASS modernization is\nFY 2014. Based on our interviews, the total funding requirements for ECASS\nmodernization are not clearly established. BIS must provide a comprehensive\nplan for what is required to modernize ECASS, including how much it will\ncost and how it will avoid the management and technical problems\nexperienced in past modernization attempts.\n\nEnhancing the performance of ECASS and ensuring continued operation of\nan effective licensing information system are far too important to postpone\nany longer. BIS must demonstrate that it has a modernization strategy and\nplan in place to convincingly make the case for increased funding, or develop\na plan to implement its ECASS modernization effort with existing resources\n(i.e., reallocate existing funding).\n\nFor more information, view the documents below at www.oig.doc.gov:\n\nReports\n\xe2\x80\xa2\t Annual Follow-Up Report on Previous Export Control Recommendations,\n   as Mandated by the National Defense Authorization Act for Fiscal Year\n   2000, as Amended (IPE-18546, March 2007)\n\xe2\x80\xa2\t BIS Needs to Strengthen Its ECASS Modernization Efforts to Ensure\n   Long-Term Success of the Project (IPE-14270, February 2002)\n\n\n\n\n                                      26 \n\n\x0cU.S. Department of Commerce                                Final Report OIG-19384\n\nOffice of Inspector General                                        November 2008\n\n\n\n\n                         Acronyms and Abbreviations\n\nBIS           Bureau of Industry and Security\nBEA           Bureau of Economic Analysis\nC&A           Certification and Accreditation\nCSAM          Cyber Security Assessment and Management\nECASS         Export Control Automated Support System\nGAO           Government Accountability Office\nGOES-R        Geostationary Operational Environmental Satellite-R Series\nFCC           Federal Communications Commission\nFDCA          Field Data Collection Automation\nFISMA         Federal Information Security Management Act\nNESDIS        National Environmental Satellite, Data, and Information\n                      Service\nNIST          National Institute of Standards and Technology\nNOAA          National Oceanic and Atmospheric Administration\nNMFS          National Marine Fisheries Service\nNPOESS        National Polar-Orbiting Operational\n                      Environmental Satellite System\nNTIA          National Telecommunications and Information Administration\nNWS           National Weather Service\nOMB           Office of Management and Budget\nPSIC          Public Safety Interoperable Communications\nSARSAT        Search and Rescue Satellite-aided Tracking\nUSPTO         United States Patent and Trademark Office\nVIIRS         Visible/Infrared Imager Radiometer Suite\n\n\n\n\n                                       27 \n\n\x0c'